Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Implementing Secure Edge Devices using Open Source Software Introduction to OpenBSD James Duncan, LMS Technologist Sheridan Institute of Technology and Advanced Learning What is an ‘Edge Device’ Edge of the network Exposed devices Routers NIDS Internet Firewall ‘Public’ servers NIDS Router Load Balancer Firewall Mail Switch www1 MacNet Mobile www2 www3 Introduction to OpenBSD “UNIX-like” Operating System Spun off of NetBSD and 4.4BSD in 1996 by Theo DeRaadt Differs from Linux in source base, and in licensing ‘Free, Functional, Secure’ Based in Calgary 6 Month Release Cycle / CVS Access to current source base Currently in pre-release of version 3.4 http://www.openbsd.org Supported Architectures Currently Supported Alpha Hp300/HPPA I386 Mac68k MacPPC MVME68k Sparc/Sparc64 Vax Ports in Progress MVME88k AMD64 HPPA64 ROMP SGI Amiga Sun3 Features of OpenBSD Bug Management “Secure by Default” Proactive source code auditing W^X page protection / ProPolice Stack Protection Privilege separated daemons Secure Communications & Services IPSec using ISAKMPd Support for NIDS (Snort) Secure Network Services PF+AltQ Firewall/Routing/Queuing using PF+AltQ Bug Management Bug Prevention Secure by Default Source code auditing Bug Mitigation W^X ProPolice Privilege Separation “Secure by Default” Definition Strictly configured by default Firewall rejects traffic to all ports except 22 (ssh) Turn off as many services as possible Daemons configured securely with extraneous features turned off “One remote hole in the default install, in more than 7 years” Source Code Audits Between 6 and 12 developers devoted to this Looking for basic software bugs If a new class of bug is found, entire tree is re-audited Proactive Bug-finding ‘Arms Race’ Reduction in setuid and setgid binaries What is a Stack? (Basic) Section of contiguous memory Holds data, as well as program instructions 1382:0100 1382:0110 1382:0120 Memory executed in sequence, until a return address is reached 1382:0130 1382:0140 Stack Buffer Overflows Overload the bounds of a data register i.e., cram more data into a box than it was designed to hold Lack of bounds checking is the flaw in code Buffer overflow will write executable code into memory, then modify return address to point to this code W^X Page Protection ‘Write or Execute’ Page can be either written to, or executable, but not both Prevents an attacker from writing code anywhere into memory where it might be executed Supported on Sparc, Sparc64, Alpha, HPPA, i386 and PowerPC Natively supported on Sparc, Sparc64, Alpha, x86-64 PowerPC and i386 required ugly hacks Similar in function but different in execution to PAX ProPolice Stack Protection Extension to GCC (GNU C Compiler) Available on Linux, FreeBSD, OpenBSD, others… Software compiled with GCC+ProPolice has stack protection built in to it Makes it harder to exploit bugs such as buffer overflows by modifying the way program data is stored on the stack How does this work? ProPolice (continued) Insert protective code into application at compile time Buffer overflow detection (concept from StackGuard) Variable reordering – reorder data and variables in such a way that overwriting a pointer becomes difficult when data is overflowed http://www.research.ibm.com/trl/projects/security/ssp/ Privilege Separation Concept of Least Privilege Separate network daemons into two levels One process running as root for everything that requires that level of privilege Sub processes running as unprivileged user This minimizes damage caused by remote attacks E.g., sshd, syslogd Privilege Separation (cont.) root duncajam duncajam 28740 14036 0 17:35 ? 28743 28740 0 17:35 ? 28744 28743 0 17:35 ? 00:00:00 sshd:duncajam [priv] 00:00:00 sshd:duncajam@pts/4 00:00:00 –tcsh sshd forks off child process at root level to handle incoming connection This process forks off an unprivileged process to handle the rest of the communications Secure Communications ‘Snoop the Line’ – Network Intrusion Detection Systems IPSecurity – Secured Network Protocol Secured Network Daemons Intrusion Detection Systems Full support for Snort NIDS (Network Intrusion Detection System) Topic covered in another presentation, moving right along… IPSec using ISAKMPd IP Security AH – Authentication Header ESP – Encapsulated Security Protocol Compatible with other IPSec implementations, such as those available from Linux and Windows Exposed Web Services Ports Packages Apache, Sendmail, Bind, etc. Chroot (e.g. Apache) PrivSep (e.g. SSH, Syslog) Audits Modern Firewalling What is a Firewall? What is a Router? What is Rate Limiting (Queuing?) This is all done in OpenBSD via the PF+AltQ subsystem Configured from /etc/pf.conf Configurable via pfctl command (as root) Packet Filter Features Stateful filtering, “modulate state” Pass / Block / Drop Match on address, source / destination ports, packet flags Easy syntax, with tables, lists, and highly configurable options Scrub – Packet Normalization Packet Logging – tcpdump format Block spoofed packets (antispoof) Block packets with IP options set (OS fingerprinting) Anchors and sub rule sets SpamD PF Ruleset Example int_if = "fxp0" ext_if = "ep0" set block-policy return set loginterface ep0 scrub in all block all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Routing Features Basic Routing Traffic redirection NAT (Network Address Translation) Round-robin load balancing Routing Example nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 nat on $ext_if inet from any to any -> { 192.0.2.5, 192.0.2.10 } source-hash rdr on $ext_if proto tcp from any to any port 80 -> \ {10.0.0.10, 10.0.0.11, 10.0.0.13} Queuing Features Bandwidth Management System Useful for managing outbound traffic i.e., limiting use of some protocols or giving priority to others Queuing done in FIFO, CBQ, or PQ Based on AltQ Matches functionality found in commercial products such as Packeteer. Queuing Example altq on fxp0 priq bandwidth 610Kb queue \ { std_out, ssh_im_out, dns_out, tcp_ack_out } queue queue queue queue std_out priq(default) ssh_im_out priority 4 priq(red) dns_out priority 5 tcp_ack_out priority 6 pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \ keep state queue(std_out, tcp_ack_out) Summary Benefits Cons Free, Secure, OS Enterprise-ready features Available on many platforms Not Performance Tuned No SMP support yet Emphasis of security over ‘Bleeding-Edge’ software http://www.openbsd.org Q&A